A heap‑based buffer overflow exists in a component of the Windows kernel. This flaw can be triggered by an attacker who already has local user or system credentials on the affected system and can result in the acquisition of higher privileges. The weakness is classified as CWE‑122, indicating that improper bounds checking of untrusted input in heap memory is the root cause. This type of vulnerability can lead to compromised confidentiality, integrity, and availability of the host operating system if the attacker gains system or administrative rights.

The vulnerability affects multiple recent Windows releases, including Windows 10 versions 21H2 and 22H2, as well as Windows 11 versions 23H2, 24H2, 25H2, 26H1, 22H3, and 26H1, and several Windows Server editions such as Server 2022, Server 2025, and Server 23H2 (both full and Server Core installations). The affected builds vary by architecture, encompassing x86, x64, and ARM64 platforms as listed in the CNA vendor/product entries.

The CVSS score of 7.8 places this vulnerability in the high‑impact range, reflecting the significant escalation potential combined with the need for local authenticated access. The EPSS score is not available, so the current probability of exploitation in the wild cannot be quantified. Microsoft does not list this issue in the CISA KEV catalog, indicating no publicly known exploits at this time. The attack vector is local and requires that the attacker already has legitimate user or system privileges on the machine; once leveraged, the kernel‑level exploitation grants full control over the host.